You are missing a whole bunch - this bug when exploited permits someone to read the memory of the server - and once you log in and your data is read into memory, it might be possible for someone to read all your personal account info - name, account numbers, etc., along with any data you transmit to them or that the server transmits to you and could allow the exploiter to impersonate the service and the user. Best I can understand, the exploiter would not need to "log in" to your account at some later time, they are already in.

I cannot be held responsible for the things that come out of my mouth.
In the Windows world, most everything folks don't understand is called a virus.

Now that a few days have passed, some dust has settled and things seem clearer.

The OpenSSL bug allowed attackers who were monitoring a site to "see" the contents of RAM for a while after you've input login credentials. That's a serious flaw, but your risk of this happening to you individually seems, to me, pretty low.

Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).

If you use iCloud keychain or 1Password or a program like that, this is an excellent opportunity to change your password from something old and weak to something new and strong. Take advantage of that.

Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).

I'm willing to bet good money that they actually do (except for MS who likely uses IIS and their own SSL implementation). For example, Apple is known to use OpenSSL. Indeed, the LastPass HB checker notes this for something like iCloud (see here). While it's possible that Apple has crafted their own implementation of SSL and TLS, I'm not counting on it given that, last estimate I saw, OpenSSL was the implementation used for nearly 2/3 of all SSL and TLS implementations. Beyond that, given that this wasn't an official announcement from Apple (a "spokesperson" made the claim with no official release) and their rich Unix legacy, I think it's safe to say that OpenSSL is widely used. I could be wrong but until there's some official announcement, the odds are against the idea that Apple doesn't use it (which is certainly not a criticism for it's a fine piece of software).

Banks though will definitely be using it. Unless their running Windows servers (and thus likely running IIS), odds are that they'll be using it. For example, the CBA notes (source) that banks aren't affected (given the multiple layers of security) but none of them notes that they weren't using OpenSSL (which leads me to believe that they were and still probably are).

Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.

What I find odd about the advice being given out by the press, is that they say, for example, not to use online banking until the bank's web site has verified that they are not affected by Heartbleed, or they have rectified their web site. Not sure about anyone else, but my bank has issued me with a code generator. This is part of the log-in process, and the code is different for each log-in. So if someone got the rest of your log-in details, how would they circumvent the one-off code?
Am I missing something here?

It's a pity more banks use code generators. In the UK Barclays does but my bank doesn't.

Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.

"Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

Emphasis mine, but that seems pretty clear-cut to me.

Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.

"Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

Emphasis mine, but that seems pretty clear-cut to me.

Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.

It's not that OS X & iOS don't have it/use it, it's that the services that Apple leverages might. For example, iCloud runs off of Linux boxes (source) which most likely do use OpenSSL in some fashion. In this way, Apple has likely indirectly leveraged OpenSSL along the way at some point since most of their web based services are managed by non-Apple platforms. It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.

It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.

But that has nothing to do with this thread, which is titled "Heartbeat OpenSSL bug does not affect OSX." While I will cheerfully admit that the title of the thread could have been more specific, reading it makes it obvious that we are talking about any manifestations of OpenSSL *included* in OS X. Thus, the statement that OS X is not affected by the bug is true.

All of us as *users of the internet* have been affected by this flaw of course. But that's a different topic. So to is whether or not anything *Apple* is using was affected (the company has already gone on record saying that iCloud and iTunes were not affected).

All of us as *users of the internet* have been affected by this flaw of course.

So, OS X users are affected by the bug.

Such a suggestion also fails to recognize that various applications leverage OpenSSL and may use different versions than the system provided one. Blanket statements such as "OS X is not affected" fail to see that, with software such as OpenSSL, it might very well be. WD MyCloud software, LastPass and LibreOffice were all vulnerable for example, all software that could be run on a Mac. This issue is bigger than just the OS, effectively making the OS vulnerable.

Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.

There are other threads on Heartbleed generally, or if there aren't enough of them for you already, perhaps you could start one on the apps, sites and other Mac-related services that could be affected by the problem. Sounds like a good useful thread to have.

Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.

I'm not quite sure how you think you can separate the software from the users (both consumers and developers) that use it in terms of security but so be it. Heartbleed affects software which runs on OS X. It really is as simple as that.